Gray Hats: Tapping Into the Dark Side to Secure Data

What do Spiderman and gray hat hackers have in common? Well, one could easily liken the superhero to the group that the IT security community views warily. Besides the fact that both parties are intriguing and shrouded in mystery, they both seemingly live on the edge and occasionally flout various legal and ethnical boundaries in the name of “the common good.”

White Hats. Gray Hats. Black Hats.

“There’s a joke that in old cowboy Westerns you could always tell who the bad guys were because they wore black hats, and the good guys wore white hats,” said Steven Mizrach, adjunct professor of anthropology at Florida International University. “Many hackers insist that they’re gray hats — they do things that society views as being bad or evil, but in fact they’re serving a higher purpose, which is for good.”

Even though there are no clear-cut boundaries, gray hats can be differentiated from white hats and black hats in their activities and intentions.

“Black hats are [into hacking] for the money, for prestige,” said W. Hord Tipton, executive director of (ISC)². “White hats, on the other end, are dedicated to doing things the right way — they follow very rigid rules and they aspire to a very tight code of ethics. The gray hats are somewhere in between — when people like to achieve good things [but] don’t necessarily want to follow the rules and generally end up saying the end justifies the means.”

Tipton recalled his days working for the government, where everyone played by the rules.

For example, when penetration tests were conducted, at least one trusted party would be aware that something would go wrong and a penetration test was about to come down. “You obviously don’t let everyone in on it or you lose a lot of the value of the testing,” Tipton said. “[Still,] you always have someone in charge who knows the general parameters of the test [so that] if damage does occur, then they [work] to minimize and mitigate what goes wrong.”

On the other extreme, the black hat approach penetrates a system and modifies that system without anyone’s knowledge or permission: in other words, hacking.

What Motivates Gray Hats?

Experts say financial motivations are often at play in gray hat activities — a problem that has become particularly acute lately because of the unpredictable nature of the economy.

“More and more people are saying, ‘I need money for my family; I need to make sure I can have protection for my needs; I have all this great knowledge, and I have people who are coming to me saying they will pay me,’” said John Pironti, president of IP Architects LLC and member of ISACA’s Certification Board. “They look for justifications and excuses. As soon as you start injecting financial or personal gain into [it], things start to get dicey.”

While there are regulations in place in the United States to curb this type of hacking activity, many gray hats are unrestrained in other parts of the world.

“We have a lot of cases coming out of Eastern Europe right now because people are saying, ‘We have no other ways to make money — we know how to do this, we have the Internet, and we don’t have cyber laws that prevent us from doing it,’” Pironti explained. “[Whereas] if you’re in the U.S. and you’re found to be doing something within the boundaries of the country, you can be prosecuted.”

Apart from the expectation of financial rewards, an individual could choose to become a gray hat to establish his name and give himself an ego boost within the hacker community.

“There’s a certain amount of boasting, and people want to be known for their achievements and accomplishments,” Mizrach said. “[Although] it’s usually under a pseudonym.”

According to Pironti, this type of prestige — or “social benefit,” as he calls it — inside the hacker community used to be the predominant motive for individuals to turn to gray hat activities.

“The motivation is no longer social gain because these younger adversary communities have grown up and [realized] they had to pay the bills; they realized they could do these activities, but better to keep it quiet and not tell anybody so they could do it longer,” he said. “As soon as they go public, they get a couple weeks of notoriety and become well-known researchers for maybe a couple of years, but then they find that they can’t work [any longer] in certain environments.”

For instance, Pironti said many financial institutions forbid their IT departments from working with known gray hats because of the confidential nature of the financial information and the fact that these individuals may not be trustworthy.

Then again, many argue that most gray hats don’t hack for malicious purposes, but are instead driven to take a walk on “the dark side” by an inherent curiosity to learn more about the functioning of various Web sites and systems.

“There are very few people who do this strictly out of a desire to cause malicious harm to anyone else,” Mizrach said. “If they aren’t trying to hack sites to improve their security, what many of them are driven by is a deep curiosity and the desire to understand how things work from the inside.”

For Good or Evil? The Ethical Dilemma Surrounding Gray Hats

Do the ends justify the means? This seems to be the predominant question that comes to mind whenever the topic of gray hat hacking ethics is raised.

Mizrach cited a recent incident in which a group of individuals went to several federal buildings with bomb-making tools. They proceeded to penetrate the security of the buildings and assemble bomb devices in the bathrooms.

“Now the point is: Why did they do this? Were they evil people wanting to blow up the buildings? No. They were people who wanted to show that the security for these buildings was insufficient,” he said. “In other words, they did something that looked like an evil act, but the real truth was they wanted to get the buildings to beef up their security.”

A direct parallel can be drawn in the gray hat community. “What gray hat hackers do is penetrate the security of Web sites in order to show that the security is insufficient and that [the companies] should increase it,” Mizrach said.

Pironti explained that the gray hat community indulges in its hacking activities in order to stay informed and keep abreast of activities among notorious adversarial hacking communities.

“The gray hat concept is the understanding by many people in the information security community that as much as we want to stay away from the adversary, as much as we want to stay away from the bad things that people do, the only way we can understand what’s going on is to interact to some degree with that community,” Pironti said. “A number of gray hats will tell you that you need to be somewhat close to the pulse of that activity in order to truly appreciate the level of progression in capability, motivation and knowledge to carry out these activities.”

However, this doesn’t automatically imply that gray hats always have the purest of intentions.

“The gray hat will always be in this conundrum of whether to be part of that community of black hats,” Pironti said, adding that a gray hat can only be a “lurker” for so long before the black hat community insists that they either contribute to the community or get exiled.

“The gray hats are [dealing with] this constant challenge of, ‘If I don’t keep myself as part of the community [by] providing certain pieces of data or certain value propositions, I’m no longer going to be able to gain access to the knowledge that’s going on in the community,’” he said.

Still, even those gray hats who conduct business with the right motives always run the risk of encountering problems along the way.

“I’d like to believe all gray hats start out as good people — with the intention of trying to make things better in the world,” Pironti said. “It’s just that through a series of very well-educated, well-coordinated actions, individuals learn how to exploit their capabilities and exploit individuals and, before they know it, they’re doing things they didn’t mean to do. [For example,] research from a code is being used in ways that it never was intended to be used; a lot of guys are developing tools in the name of research that will then be modified for malicious purposes and they don’t know it’s going to happen.”

White hats, on the other hand, refuse to compromise their ethics in any way.

“The white hat says, ‘Look, I don’t want to be in the position where I have to compromise my morals, values and ethics to carry out my work activities, so it’s better to be in a passive, reactive mode than it would be to in some way jeopardize myself,’” he said.

Hacking Activities Can Have Legal Implications

“When you violate the security of a Web site, in many cases you’re violating various laws relating to computer crime,” Mizrach said.

To some, hacker activities can be classified, for the most part, as right or wrong with very little room for nebulous areas.

“Maybe I’m thinking like a former federal agent, but we tend to see things a lot more black and white, and there’s no law that allows anyone to go in on their own and test someone’s system without mutually agreed to rules of engagement,” Tipton said. “There are all sorts of shades of gray, and many — maybe even most — of them are very well intended, but it still doesn’t keep [the activities] from being illegal.”

There are computer acts, such as the Data Protection Act of 1998, that establish boundaries and penalties for disorganized hacking activity, and the laws that have been put in place over the past decade are even more stringent and carry even harsher penalties, Tipton said.

Gray hat hackers who choose to sell or post information on the Internet run the risk of facing legal action. While it’s nearly impossible to prosecute every case, the probability of this depends on how egregious the security breach is.